diff --git a/README.md b/README.md
index e9b9a80..a2a76c3 100644
--- a/README.md
+++ b/README.md
@@ -69,8 +69,10 @@ potential a sane default for an attribute.
 * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
 * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
 * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
+* [objects/pe-section](objects/pe-section/definition.json)  - Portable Executable (PE) object - section description.
 * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
 * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
+* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
 * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
 * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.
 
diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json
index 0e7cd4c..b72debd 100644
--- a/objects/ddos/definition.json
+++ b/objects/ddos/definition.json
@@ -4,30 +4,14 @@
   "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
   "version": 1,
   "attributes": {
-    "total-pps": {
+    "total-bps": {
       "misp-attribute": "counter",
       "misp-usage-frequency": 0
     },
-    "last-seen": {
-      "misp-attribute": "datetime",
-      "misp-usage-frequency": 0
-    },
     "text": {
       "misp-attribute": "text",
       "misp-usage-frequency": 0
     },
-    "total-bps": {
-      "misp-attribute": "counter",
-      "misp-usage-frequency": 0
-    },
-    "ip-src": {
-      "misp-attribute": "ip-src",
-      "misp-usage-frequency": 1,
-      "categories": [
-        "Network activity",
-        "External analysis"
-      ]
-    },
     "ip-dst": {
       "misp-attribute": "ip-dst",
       "misp-usage-frequency": 1,
@@ -36,9 +20,9 @@
         "External analysis"
       ]
     },
-    "src-port": {
-      "misp-attribute": "text",
-      "misp-usage-frequency": 0,
+    "ip-src": {
+      "misp-attribute": "ip-src",
+      "misp-usage-frequency": 1,
       "categories": [
         "Network activity",
         "External analysis"
@@ -52,6 +36,18 @@
         "External analysis"
       ]
     },
+    "src-port": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ]
+    },
+    "first-seen": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0
+    },
     "protocol": {
       "misp-attribute": "text",
       "misp-usage-frequency": 0,
@@ -62,7 +58,11 @@
         "IP"
       ]
     },
-    "first-seen": {
+    "total-pps": {
+      "misp-attribute": "counter",
+      "misp-usage-frequency": 0
+    },
+    "last-seen": {
       "misp-attribute": "datetime",
       "misp-usage-frequency": 0
     }
diff --git a/objects/url/definition.json b/objects/url/definition.json
new file mode 100644
index 0000000..7aaac1f
--- /dev/null
+++ b/objects/url/definition.json
@@ -0,0 +1,78 @@
+{
+  "name": "url",
+  "meta-category": "network",
+  "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
+  "version": 1,
+  "attributes": {
+    "host": {
+      "misp-attribute": "hostname",
+      "misp-usage-frequency": 0
+    },
+    "domain_without_tld": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "domain": {
+      "misp-attribute": "domain",
+      "misp-usage-frequency": 0
+    },
+    "subdomain": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "credential": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "text": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "last-seen": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0
+    },
+    "fragment": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "query_string": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "resource_path": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "first-seen": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0
+    },
+    "scheme": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "sane_default": [
+        "http",
+        "https",
+        "ftp",
+        "gopher",
+        "sip"
+      ]
+    },
+    "port": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "tld": {
+      "misp-attribute": "tld",
+      "misp-usage-frequency": 0
+    },
+    "url": {
+      "misp-attribute": "url",
+      "misp-usage-frequency": 1
+    }
+  },
+  "requiredOneOf": [
+    "url"
+  ]
+}
diff --git a/schema.json b/schema.json
index d5defa4..f3e1082 100644
--- a/schema.json
+++ b/schema.json
@@ -27,6 +27,13 @@
             "type": "string"
           }
         },
+        "sane_default": {
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "type": "string"
+          }
+        },
         "multiple": {
           "type": "boolean"
         },